In the last post, we discussed the remote management of network devices using Telnet and SSH. We looked at what role password management plays in these remote connections. We then discussed privilege levels on network devices.

Now we will continue with our security topics.

CCNA Training – Resources (Intense)

We have focused on routers in the previous posts (although all the things we have discussed so far can also be applied on switches). In this post, we will shift focus to the switches in our network.

Our network diagram remains the same as before:

SWITCH SECURITY

Port Security

Since switches usually connect end users to the networks, it may be beneficial to apply some security features at this level rather than let upper layer devices like routers and firewalls handle it. When it comes to preparation for the CCNA exam, a lot of focus is placed on port security and VLAN features of switches even though you should be aware that Cisco switches have many more features like 802.1X, Dynamic ARP Inspection, and so on.

Let’s begin by understanding what port security is. If you recall, switches (layer 2 switches) work at the Data Link Layer of the OSI Model. At this layer, MAC addresses are the language of communication. It means IP addresses don’t make sense at this level. Unlike IP addresses, MAC addresses are usually more static.

For example, every computer (or IP phone, or printer, etc.) has a default unique MAC address that has been assigned to it when it was manufactured. When I speak of a device, I mean the subcomponent of the device that has to communicate with the network. What this means is that for a computer that has a wireless network adapter, a LAN adapter and a Bluetooth adapter, each of these subcomponents will have different MAC addresses. Let’s confirm this:

Open a command prompt on a Windows OS, for example, and issue the following command: ‘ipconfig /all’

As you can see from the figure above, the adapters on this computer have different (unique) MAC addresses. This is significant because it means one computer can have MULTIPLE identities depending on how it connects to a network.

Let’s take a look at MAC addresses for a bit. A MAC address is a 48-bit hardware address that uniquely identifies every device. It is usually written in Hexadecimal form (each hexadecimal character is 4 bits) as such:

AA:AA:AA:BB:BB:BBor AA-AA-AA-BB-BB-BBor AAAA.AABB.BBBB

We mentioned earlier that these addresses are unique for each device, so how do diverse companies all around the world know what MAC address to assign next?

Here is the answer- MAC addresses can be divided into two portions: the first (leftmost) 24 bits is known as the Organisationally Unique Identifier (OUI) and the last 24 bits are Network Interface Controller (NIC) specific. This means every company has a unique OUI assigned to it by IEEE. Some have multiple OUIs because of the company size and product variety. The NIC specific portion can then be assigned as the company deems fit, and they probably keep track of this so that there is no conflict of addresses.

For example, let us assume Cisco’s OUI is “00-00-0C”. If an Ethernet interface is manufactured by Cisco, they could assign it with a NIC specific address of “00-00-01”. The full MAC address of this interface will be “00-00-0C-00-00-01”.

Hint: You can search for the OUI of different companies here: http://standards.ieee.org/develop/regauth/oui/public.html. You can also search for the company that has a particular OUI using this link.

(Figure courtesy Wikipedia)

Why did we take that long talking about MAC addresses? Because MAC addresses are the basis of port security. Port security allows you to limit the input on interfaces to particular MAC addresses. For example, if you have a server connected to port Fa0/15 on a switch, since you know the MAC address of that server and it hardly ever changes (except when another NIC is installed), you can configure that particular interface to only accept input from the server’s MAC address. This reduces the chance of a rogue system being connected on that port.

Port Security uses the concept of Security Violations to detect attacks. A security violation occurs:

  • When a device whose MAC address is not contained in the address table of secure MAC addresses on that interface attempts to access that interface.
  • When a MAC address already learned on a secure port is seen on another secure interface in the same VLAN.

Figure showing port security violation by maximum number of configured MAC addresses.

Figure showing port security violation by port hopping.

When a security violation occurs, there are three ways in which the switch interface configured for port security can react, known as violation modes:

  1. Protect: In this mode, when the maximum number of configured secure MAC addresses for that interface has been reached, all packets from other unknown MAC addresses are discarded. The switch will continue discarding these packets until:
    1. A sufficient number of secure MAC addresses are removed to fall below the maximum configured for that interface;
    2. The maximum number of secure MAC addresses configured for that interface is increased.

    In this mode, no notification of a security violation is given, meaning packets are dropped silently.

  2. Restrict: This is exactly like Protect mode except that it is not silent. Notifications about security violations are given: SNMP trap is sent, syslog message is logged, the violation counter increments, etc.
  3. Shutdown: This is the most secure mode, but depending on your network, it may not be desirable. A security violation causes the interface to go into error-disabled state and shutdown immediately. The port LED turns off, an SNMP trap is sent, syslog message is logged and the violation counter increments.There are two ways to bring out a port from error-disabled state:
    1. Issue the errdisable recovery causepsecure-violation global configuration command.
    2. Manually enter the shutdown and no shutdown interface configuration commands.

    Shutdown is the default port security violation mode.

Also be aware that there is a “shutdown vlan” mode which is similar to the “shutdown” mode, but instead of shutting down the port, the VLAN in which the violation occurred is shut down. The table below shows these modes briefly:

Configuring Port Security

There are certain things you should be aware of before configuring Port security, like the fact that port security cannot be enabled on a dynamic interface or on an interface that is part of a Port channel group. You can view these restrictions here: http://www.cisco.com/en/US/docs/switches/lan/catalyst3750e_3560e/software/release/12.2_50_se/configuration/guide/swtrafc.html#wp1155214

The steps to configure port security on a switch interface are as follows:

  • Configure the interface as either an access port or a trunk port.
  • Enable port security.
  • Configure the maximum number of secure MAC addresses on that interface. The default is one.
  • Configure the security violation mode (protect, restrict, shutdown or shutdown vlan).
  • Manually configure the secure MAC address(es) on the interface.
  • Optionally enable sticky MAC address learning.
  • Optionally configure sticky MAC addresses for that interface.

Before we dive into configuration, let us look at the different types of secure MAC addresses supported by the switch:

  1. Static secure MAC addresses configuration: You can manually configure the secure MAC addresses for a particular interface. These MAC addresses are stored in the address table and added to the switch’s running configuration. If the running configuration is saved to the start-up configuration, these addresses don’t have to be reconfigured.
  2. Dynamic secure MAC addresses: Imagine if there were 50 possible MAC addresses that could appear on that port; it will be beneficial if there was a way to dynamically learn MAC addresses. These addresses are saved in the address table only and are removed when the switch restarts.
    1. Sticky secure MAC addresses: These can be manually or dynamically configured, and stored in the address table and in the running configuration. They can also be saved to the start-up configuration. The difference among these three is best understood in practice.

In that case, let’s get down to configuration straightaway.

Dynamic Secure MAC address

We will configure port security on port Fa1/1 of Switch_UK. This is the interface through which PC_UK connects to the network. It has a MAC address of 0060.7037.D4B5 as shown below:

Let’s take a look at port security statistics on that port before we do anything. We use the show port-security interface<interface> for this.

As you can see, port security is currently disabled on this port and the port status shows as “Secure-down“. No MAC address has been recorded. The default violation mode is shutdown and the default maximum MAC addresses on the interface is 1.

Now, let’s enable port security on this interface.

We will now view the port security settings on that interface to see what has happened.

Notice that port security is now enabled and the port status is “Secure-up“. But you will also notice that the last source Address has not changed. That’s because the computer connected to that port has not sent any packets. We will initiate a ping from PC_UK to the router to send packets.

That is the MAC address of PC_UK. Since the maximum secure MAC addresses that can be on this interface is one, it means if any packet from another MAC address is seen on this interface, a violation will occur and it will shut down.

We can also check the secure MAC addresses on a switch as a whole using the show port-security address command, or the secure addresses on a particular interface using the show port-security interface <interface> address command.

Because it is dynamically configured, this MAC address is not present in the running configuration so if the switch restarts, it will have to be learnt dynamically again. Let’s see this in action. I saved the configuration and restarted the switch.

Back to square one.

Sticky secure MAC Addresses

Since dynamic secure MAC addresses and sticky secure MAC addresses can be quite similar, let’s take a look at sticky addresses.To enable sticky learning, enter the switchport port-security mac-address sticky command under interface configuration mode. I’ll configure this and ping from PC_UK again.

This is what the port security settings for Fa1/1 looks like:

Notice that the Sticky MAC Addresses counter now shows 1.The type of secure MAC address is “SecureSticky” as shown below:

If we also check the running configuration, we will discover that this address has been added:

This is the difference between sticky and dynamic secure MAC addresses. Dynamic secure MAC addresses are not added to the running configuration so even if you save the running configuration and restart the switch, dynamically learned MAC addresses are lost and have to be re-learned. However, sticky secure MAC addresses are written to the running configuration and if saved to start-up configuration, these addresses will still be available when the switch restarts.

Please note that when sticky learning is enabled on a switch, all dynamically learned addresses are converted to sticky addresses, even those that were learned before sticky learning was enabled. Be aware that if you’re using Packet Tracer to practice and your switch already learned a dynamic address, it is not automatically converted to a sticky address when sticky learning is turned on.

We also mentioned that sticky secure MAC addresses can be manually configured, so instead of waiting for it to add that address above, you can add it manually using the switchport port-security mac-address sticky<mac-address> command. However, Cisco does not recommend this.

Static Secure MAC Addresses

MAC addresses can be specified directly on the interface without the need for dynamic learning. This is more secure because if an attacker were to be the first to send a packet on a port, his MAC address is added as a secure MAC address irrespective of whether or not this should happen.

The type of secure MAC address is “SecureConfigured”:

It’s time to try something fun. Since we can configure MAC addresses manually, let’s simulate an attack. We will configure the interface with another MAC address, initiate traffic from PC_UK and see what happens.

The ping does not go through. Why is this?

The Fa1/1 port has been shut down automatically. This is because a security violation occurred and the violation mode on the port is “shutdown”. We will also find out that the violation counter has been incremented.

Now let’s change the violation mode to “protect” and confirm that the violation counter is not incremented when a security violation occurs. I’ll reset everything to zero and test.

The ping still fails but notice the security violation counter below:

And finally, “restrict” violation mode:

As usual, the ping still fails as shown below:

But notice the difference between restrict and protect – the security violation counter increments:

Security Violation count of 4 to match the 4 ping packets.

Port Security aging

So far, we have seen the types of secure MAC addresses (static, dynamic and sticky) and have also explored the security violation modes (protect, restrict and shutdown). Now let’s talk about aging. Port security can be configured with aging options for secure addresses on a port. There are two types of aging:

  • Absolute: The secure addresses on the port are deleted after the specified aging time
  • Inactivity: The secure addresses on the port are deleted only after a period of inactivity as specified in the aging time.

By default, secure MAC addresses do not age. Aging options can be configured using the switchport port-security aging {static | timetime | type {absolute | inactivity}} interface configuration command.

While it is uncertain if you will be required to configure port security aging in the CCNA exam, it is good to be familiar with it (although these options cannot be configured in Packet Tracer).

Err Disable

We mentioned above that when a security violation occurs and the violation mode is set to “shutdown”, the port is put in error disabled state and shut down. We have seen that the port shuts down but we have not seen the error disabled state. This is the configuration we have on the Fa1/1 interface:

I have reset the violation mode to the default (shutdown) and since it is the default, it doesn’t show up in the configuration. Now, let’s initiate our ping packet:

As before, the ping fails. Also the port is shut down as shown below:

Now let’s check the status of the interface using the ‘show interfaces fa1/1’ command. We are only interested in the first line:

Now we see that the status of the port is “err-disabled”. Recovery can be done manually or automatically. The manual method is to issue the shutdown and no shutdown commands on the particular interface.

For auto-recovery, use the global configuration command errdisable recovery cause psecure-violation. You can also specify the interval after which the interface should be automatically recovered using errdisable recovery interval<seconds>.

Other Switch Security Features

There are a couple of other security features that should be applied on switches and we will run through them in this section:

  • Shutdown unused ports: This is fairly straightforward. Ports that do not have any cables connecting them to potentially live devices should be administratively shut down. This is because the default setting for ports on switches is enabled (status/protocol is down/down and will change to up/up when a cable connects it to a system).

    We will go ahead now and shut down that interface.

  • Assign unused ports to an unused VLAN: By default, switch ports are part of VLAN 1. By moving unused ports to an unused VLAN, this security mechanism with some others can protect against VLAN hopping attacks.
  • Setting native VLAN to other than VLAN 1: This is also a prevention mechanism against VLAN hopping attacks.
  • Set all unused ports to nontrunking mode: It is a good idea to configure unused ports as access ports so that even if an attacker gets access to such port, he cannot sniff all packets in that VLAN.

This brings us to the end of Part 3. In this lesson, we have looked at security on switches. We began with understanding MAC addresses. We then moved to port security and discussed the three violation modes that can be configured for port security: protect, restrict and shutdown. The difference between protect and restrict is that protect is ‘silent’. We also saw the three types of secure MAC addresses: dynamic, static and sticky. We discussed error disabled state of switch ports and how to recover from such state. Finally, we considered other types of switch security features like shutting down unused ports and setting the native VLAN to one other than VLAN 1.

In the 4thand final article of this series, we will look at turning off some unnecessary services running on network devices that can be exploited by attackers. We will also learn how to restrict remote connections using ACLs and finally, do some troubleshooting.

Some questions:

  • What is the OUI of the following MAC address: 44-7D-5F-00-B2-F4?
  • In which of the following modes will an SNMP trap be sent when a security violation occurs: protect, restrict, shutdown?
  • How can you recover a port from err-disabled state?

As before, answers will be given just before the next article when adequate responses have been received.

References